b"January 24, 2001\nAudit Report No. 01-003\n\n\nImplementation of Release I of the\nCorporate Human Resources\nInformation System\n\x0cFederal Deposit Insurance Corporation                                                                   Office of Audits\nWashington, D.C. 20434                                                                      Office of Inspector General\n\n\n\n\n   DATE:            January 24, 2001\n\n   TO:              Arleas Upton Kea, Director\n                    Division of Administration\n\n                    Donald C. Demitros, Chief Information Officer and Director,\n                    Division of Information Resources Management\n\n   FROM:            David H. Loewenstein\n                    Assistant Inspector General\n\n   SUBJECT:         Audit of the Implementation of Release I of the Corporate Human Resources\n                    Information System (Audit Report No. 01-003)\n\n\n   The Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) has been\n   continuing its audit involvement in the development of the Corporate Human Resources Information\n   System (CHRIS). This interim report covers our activities related to the implementation of Release I\n   of CHRIS. CHRIS is an integrated human resources (HR) management system that is based on the\n   PeopleSoft Federal Human Resources Management System software. The FDIC plans for it to\n   ultimately provide an integrated system to support all HR functions.\n\n   This is the second audit report we have issued on the CHRIS project during our proactive audit\n   coverage of CHRIS1. The purpose of this report is to provide management with the most recent\n   results of our review.\n\n\n   BACKGROUND\n\n   HR administration encompasses a wide range of functions related to the management of\n   personnel from the time a prospective employee applies for a position until the time that the\n   employee leaves the Corporation. It includes establishing policies and procedures related to the\n   recruitment, employment, classification, training, management, promotion and retirement of\n   personnel. HR administration also includes the collection and maintenance of the data related to\n   the employment process.\n\n   Numerous shortfalls, both technical and functional, have previously been identified with the\n   processing of the FDIC\xe2\x80\x99s HR actions. The FDIC's HR function includes 14 separate HR systems\n\n   1\n    Report Entitled Acquisition of Software and Services to Support the Corporate Human Resources Information\n   System (Audit Report No. 00-011) issued March 31, 2000.\n\x0cmaintained on 7 different technical platforms. Many of the systems did not comply with the\nFDIC\xe2\x80\x99s Information Technology Strategic Plan or the existing corporate hardware and software\nstandards. Because of the outdated platforms, technology, and incomplete documentation, the\nDivision of Administration (DOA) and the Division of Information Resources Management\n(DIRM) invested inordinate resources to update the existing systems to accommodate new HR\ninitiatives brought about by legislative and regulatory changes, union agreements, and internal\npolicy changes. The CHRIS project was initiated to address the FDIC\xe2\x80\x99s HR processing\nshortfalls. CHRIS is based on the federalized commercial-off-the-shelf (COTS) HR software\npackage provided by PeopleSoft. PricewaterhouseCoopers was awarded the contract to perform\nthe integration services for PeopleSoft's software. The project is being implemented\nincrementally using four separate releases:\n\n       \xe2\x80\xa2   Release I: Personnel Processing and Payroll Interface\n       \xe2\x80\xa2   Release II: Vacancies, Performance Management, and Labor Relations\n       \xe2\x80\xa2   Release III: Training and Benefits Administration\n       \xe2\x80\xa2   Release IV: Time and Labor\n\nOn March 31, 2000, we issued our report entitled Acquisition of Software and Services to\nSupport the Corporate Human Relations Information System. That report discussed our review\nof the CHRIS project\xe2\x80\x99s early development activities, including the initial project planning and\nthe award of software and services contracts to support CHRIS. Our review supported the\nCHRIS project team's recommendation to acquire COTS software and found that the solicitation\nand award process for the implementation of CHRIS was well supported and followed FDIC\nprocurement policies.\n\nWhen complete, Release I of CHRIS will (1) establish a core personnel database including\norganizational, position, and employee data; (2) implement a personnel action request process with\nworkflow-enabled routing and approval; (3) provide additional capabilities including processing\nawards, employee actions, and executive actions as part of the personnel processing system;\n(4) convert data residing at the National Finance Center (NFC); (5) establish an interface between\nCHRIS and the NFC; and (6) provide basic operational and analytical reporting capabilities.\n\n The FDIC\xe2\x80\x99s rollout strategy for CHRIS Release I was to implement the release in the FDIC's\nAtlanta and Memphis regions in November 2000 and to complete the corporate-wide rollout by\nFebruary 2001. By November 16, 2000, the rollout for the Atlanta and Memphis regions had\nbeen successfully completed.\n\nCHRIS project costs through November 2000 totaled approximately $4.7 million. The CHRIS\nproject manager estimated that the cost to complete Release I of CHRIS will be $5.8 million.\nThis cost is consistent with the original April 1999 CHRIS cost estimate.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of our overall audit of CHRIS are to ensure that the system is developed in\naccordance with the FDIC\xe2\x80\x99s system development life cycle (SDLC) methodology, meets user\n\n\n                                                 2\n\x0crequirements, provides adequate security and internal controls, and is developed in an effective and\nefficient manner. This interim phase of our audit applied these objectives to the development and\nimplementation of Release I of CHRIS. We conducted this phase of our audit between April 2000\nand December 2000 in accordance with generally accepted government auditing standards.\n\nTo accomplish our audit objectives, we interviewed DIRM and DOA project team members, were\nbriefed on and evaluated the CHRIS oversight committee decisions, and reviewed SDLC\ndocumentation developed by the project team. The SDLC documentation that we reviewed included\nthe fit-gap analysis2, system integration testing results, and user acceptance testing results. We also\nreviewed documentation supporting the key senior management decision points that provided the\nauthority to proceed with the CHRIS development. CHRIS project management also requested that\nwe review and provide our suggestions on the memorandum of understanding (MOU) between the\nDirectors of DOA and DIRM requesting that the CHRIS application be granted an interim, 1-year\nwaiver of certain FDIC security standards. Finally, we compared the CHRIS project costs through\nNovember 2000 with those that were that were originally developed.\n\n\nRESULTS OF AUDIT\n\nThe CHRIS project team successfully implemented Release I of CHRIS in FDIC's Atlanta and\nMemphis regions. In doing so, the project team managed costs effectively, gained user\nacceptance, and implemented Release I of CHRIS in a timely manner. However, the security\nfeatures for Release I did not meet the FDIC's security standards for password management and\nsystem auditing and will require manual intervention to reduce risk to an acceptable level.\n\n\nIMPLEMENTATION OF THE RELEASE I OF CHRIS IN ATLANTA AND MEMPHIS\nREGIONS WAS SUCCESSFUL BUT SECURITY IMPROVEMENTS ARE NEEDED\n\nThe CHRIS project team successfully implemented Release I of CHRIS in the Atlanta and\nMemphis regions by maintaining a structured process that followed SDLC procedures. During\nthe implementation, the project team adequately oversaw the implementation contractor, actively\ninvolved the user community in the implementation process, kept senior management abreast of\nthe progress of CHRIS, and worked closely with DIRM security personnel in mitigating certain\nsecurity exposures within CHRIS.\n\nBy issuing fixed price task orders under the implementation contract, the project team was able\nto maintain control of the CHRIS implementation cost. We determined that CHRIS project costs\nthrough November 2000 totaled approximately $4.7 million. The CHRIS project manager\nestimated that the cost to complete Release I of CHRIS will be $5.8 million. This cost is\nconsistent with the original April 1999 CHRIS cost estimate. The project team also kept changes\nto the original PeopleSoft software to a minimum. Based on the number of objects in PeopleSoft\n\n2\n A Fit/Gap Analysis is a process where the project team builds a prototype COTS environment expressly for the\npurpose of identifying where the software does, or does not, meet user requirements. As a result of this exercise, the\nproject team delivers a list of requirements, or gaps, that are not met by the COTS that may require customization.\n\n\n                                                          3\n\x0csoftware, these changes represented about eight percent of the original product. The rollout of\nRelease I at the Atlanta and Memphis regions proceeded on time, was successfully completed,\nand users provided positive feedback on the implementation process.\n\nAlthough certain issues regarding CHRIS security require an interim waiver from existing\nsecurity requirements, the project team is in the process of developing compensating manual\nsecurity controls to reduce risks to an acceptable level. The project team is also developing a\ndetailed plan to provide automated procedures to address the CHRIS security issues.\n\n\nPassword Management and System Auditing Can Be Improved\n\nDIRM's Information Security Staff (ISS) completed the CHRIS Independent Security Review (ISR)\nreport in June 2000. In that report, ISS determined that security limitations of the PeopleSoft\nproduct caused CHRIS to not meet certain FDIC security standards. ISS stated that the limitations\nrelated to system access control measures and system auditing. Specifically, ISS found that CHRIS\ncontained (1) no automated or manual process to identify compromises in passwords, and\n(2) embedded passwords that could permit unauthorized access. ISS also determined that a detailed\npassword management policy was needed to assign specific responsibilities for monitoring and\ncontrolling CHRIS access. Additionally, ISS identified several security auditing controls that will\nnot be satisfied by Release I of CHRIS. These missing controls include (1) a capability to monitor\nsystem use, and (2) audit trails that capture system activities. Further, system audit logs cannot be\nused without a performance degradation. The ISR report recommended that the CHRIS project team\nrequest a waiver of certain FDIC security standards and develop a plan for later improvements in the\nauditing capability. Our audit confirmed the concerns raised by ISS.\n\nOur office assisted DOA and ISS in developing a waiver request that would be acceptable to all\nparties. The result was an MOU signed by DOA and DIRM management on November 14, 2000.\nThe MOU was limited to 1-year and provided an interim solution for the CHRIS security shortfalls.\nIn that MOU, the CHRIS project team committed to specific actions, including a test of the CHRIS\naudit logging function prior to the full implementation of CHRIS, the development of compensating\nmanual controls and policies, and providing ISS with a detailed plan by March 31, 2001 that will\nidentify how the CHRIS project team intends to comply with all applicable security standards\nfollowing the expiration of the waiver. Because the CHRIS project management team is in the\nprocess of implementing the requirements of the MOU and our office will be actively involved in\noverseeing the development of the subsequent releases of CHRIS, we are not making any\nrecommendations in this report.\n\n\n\n\n                                                 4\n\x0c"